Curve Finance, a significant player in the decentralized finance (DeFi) protocol, was threatened with near-collapse due to a critical vulnerability in the Vyper programming language.
This exploit risked nearly $100 million in digital assets, but a surprising reprieve came from a source normally associated with traditional finance — a centralized exchange price feed.
The issue was rooted in specific versions of Vyper which led to a malfunctioning reentrancy lock. This flaw facilitated a sizable drain from four Curve pools, plummeting the value of Curve’s native token (CRV) to as low as $0.086 on decentralized exchanges.
While it may seem antithetical to DeFi’s core principles, the CEX price feed held the CRV price at $0.60 on centralized exchanges, preventing the token’s total collapse. Curve’s pools use Chainlink’s oracle system, which integrates price feeds from several sources, including CEXs.
❤💛💚💙
If #ChainLink team listened to Chris Blec, the whole Curve protocol would be at ZERO right now.
ChainLink price feed includes CEXes.
CRV hit $0.086c DEX, but was $0.60c CEX.#LINK team have a multi-sig for now, and plan to decentralize when the Bug-Eaters take over pic.twitter.com/tE6gFgPF9J
— yourfriendSOMMI ❤️💛💚💙 (@yourfriendSOMMI) July 30, 2023
The price feeds from centralized exchanges, part of Chainlink’s oracle system used by Curve’s pools, played a key role in this incident.
Binance, one of the major players in the cryptocurrency exchange realm, emerged unscathed from the Vyper vulnerability. CEO Changpeng Zhao, while highlighting the importance of keeping code libraries updated, pointed out the irony of a centralized system coming to the rescue of a decentralized protocol:
“It’s important to stay up-to-date with code libraries, apps and OS. And stay SAFU [Secure Asset Fund for Users].”
The exploitable issue within Vyper’s earlier versions, 0.2.15, 0.2.16 and 0.3.0, is believed to be at least 1.5 years old, affecting Curve’s aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH pools. The meticulous planning and resources invested in the attack led a Vyper program contributor to suggest the possibility of a state-sponsored effort.
The market has been contracting, which means opportunities for bugs is also contracting, which means black hats are looking for fresh, untapped sources to explore.
I think that fresh, untapped source is now searching for compiler 0 days
That’s terrifying for a number of reasons
— señor doggo 🏴🏴☠️ in his wartime ceo era (@fubuloubu) July 31, 2023
Share this article
URL Copied
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
